On May 19, 2020, academics from the Tel Aviv University and The Interdisciplinary Center in Israel discovered a vulnerability in the implementation of DNS recursive resolvers that can be abused to launch disruptive DDoS attacks against any victim.
Read the Complete Alert
On May 19, 2020, academics from the Tel Aviv University and The Interdisciplinary Center in Israel discovered a vulnerability in the implementation of DNS recursive resolvers that can be abused to launch disruptive DDoS attacks against any victim. The attack leveraging the vulnerability has been dubbed NXNSAttack by the researchers and detailed in their research paper. 1
Unlike DDoS floods or application-level DDoS attacks that directly target and impact a host or a service, the NXNSAttack targets the domain name resolution capability of its victims. Like the NXDOMAIN or DNS Water Torture attack2, the DDoS attack is aimed at disrupting the authoritative servers of the domain by overloading them with invalid requests using random domain request floods through recursive DNS resolvers. This attack is hard to detect and mitigate at the authoritative server because the requests originate from legitimate recursive DNS servers. By disrupting name resolution for the domain, attackers effectively block access to all services provided under the domain. New clients will not be able to resolve the hostname of the service while under attack because they have no way of locating the IP address to connect to the service.
Unlike the limited 3x packet amplification factor of the NXDOMAIN attack, the NXNSAttack provides packet amplification factors ranging from 74x when attacking a subdomain (victim.com) up to 1621x when targeting a recursive resolver. The bandwidth amplification factors range between 21x for subdomain attacks and 163x when targeting a recursive resolver. Targeting root and top-level domain servers results in a packet amplification factor of 1071x and a bandwidth amplification factor of 99x. With high amplification rates and flexible targeting, NXNSAttack is a very capable attack vector which can be performed at scale.
Researchers have since disclosed the vulnerability and approached vendors and providers who have already patched their software and servers. The following DNS server implementations had a fix available at the moment of disclosure: ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667). In addition, the following open DNS recursive resolver providers have updated their services to mitigate the use of the vulnerability for DDoS attacks: Cloudflare, Google, Amazon, Microsoft, Oracle (DYN),Verisign, IBM Quad9, and ICANN. Other software and service providers have followed the announcement with fixes and patching. However, it is safe to assume that not all recursive resolvers, private and public, have been or ever will be patched.
The exposure to attacks or abuse of the vulnerability is not limited to just public recursive resolvers but also impacts private recursive resolvers located at ISPs, clouds or within organizations. Malicious actors have leveraged different kinds of bots in the past to launch random domain flood attacks and can leverage the same bots to conduct a NXNSAttack which disrupts any victim outside of the resolvers’ owners. Easy access to source code for botnets such as Mirai that provide “out-of-the-box” support for random domain floods adds to the potential to perform these disruptive DDoS attacks.
The victims have no immediate grasp on the risk they are exposed to. Any component of the authoritative DNS infrastructure, including the second level domain (victim.com), top level domain (.com, .info, …), and root name servers (‘.’) can be disrupted through recursive DNS resolvers that are outside of their control. Victims are at the mercy of DNS service providers.
Recursive DNS providers can protect their own infrastructure and protect the internet from attacks by applying the fix provided by DNS software suppliers or by implementing the Max1Fetch solution proposed by the researchers in their paper1. Alternatively, recursive DNS providers can protect their infrastructure against random domain floods through the aggressive use of DNSSEC-validated cache (RFC8198) or by leveraging Radware DefensePro for DNS protection3.
DNS over HTTPS (DOH) or DNS over TLS (DOT) does not providing protection against the NXNSAttack. The DOH and DOT protocols are aimed at providing privacy on the client side of the name resolving and does nothing to protect the authoritative side of the DNS infrastructure. Worst case, DOH and DOT can be leveraged as evasion techniques to hide random domain name floods from upstream network sensors and protections inside TLS encrypted data streams, rendering detection or mitigation of malicious DNS attacks impossible.
Increasing the Time To Live (TTL) value of the domain zone will increase the resistance of services under the domain against authoritative domain server disruption, but will do so at the cost of the agility of the domain. Moreover, this will only provide a solution for those clients behind resolvers that have cached the resolution at an earlier time and will not provide a complete or indefinite solution whilst the attack is ongoing.
Resourceful and pervasive attackers can create an attack infrastructure to target any subdomain (victim.com), potentially impacting other subdomains provided by the same domain name server or service providers. Given enough resources, attacks can target top level domains such as ‘.com’, ‘.info’, ‘.us’, ‘.ca’, ‘.de’, etc. and even attempt to disrupt the internet’s root name servers.